Confidentiality & Privacy Flashcards
What kind of party losses are compensatory damages?
3rd party losses because they provide restitution for the harm caused to consumers.
What is symmetric key encryption?
- It is a type of encryption that uses the same private key for encryption and decryption.
- This encryption type is good for protecting data at rest in a database.
- It uses Advanced Encryption Standard (AES) to generate keys of 128, 192, or 256 bits.
What is asymmetric encryption?
- It is encryption in which a public key is used for encryption and private key is used for decryption.
- Asymmetric encryption uses the RSA algorithm to generate keys.
This encryption uses key length of 2048, 3072, or 4096 bits.
What is the RSA algorithm?
- It is an algorithm in which RSA is used in blockchain technology, for digital signatures, and situations where identification is necessary.
- RSA requires much larger keys than AES, usually 2048, 3072, or 4096 bits.
What does symmetric encryption secure?
It secures the actual data being transmitted.
What does asymmetric encryption do?
It it used to establish a secure communication channel
What is a suitable choice for securing email communication or messaging applications?
Asymmetric encryption because there are separate public and private keys
Merchants that process credit cards must comply with what?
Payment Card Industry Data Security Standard (PCI DSS)
What is tokenization?
- It is a data obfuscation (process of concealing information) technique where it substitutes a customer’s credit card number with a random alphanumeric string (the token).
- The merchant transfers the token to the payment processor who then tokenizes (a process of HIDING your customer’s card information with a randomly generated series of letters and numbers or an alphanumeric string of characters called a “token” that can only be decrypted by the bank when processing a transaction) the token to confirm payment.
What does encryption use that tokenization doesn’t use?
Keys
What is data masking?
- AKA DATA REPLACEMENT
- It is a technique in which the masking PERMANENTLY substitutes data with fake data that appears equivalent to the original.
- Ex: Denny Miyasato becomes Joel Kasten
When you hear MASK, think of Halloween masks.
What is data replacement?
AKA HASHING
It involves replacing real data with meaningless symbols
What are the 4 phases of the data life cycle?
- Creation/collection
- Use
- Storage
- Disposal
Management should design and implement controls that ensure that data collection forms ask for what?
The MINIMUM INFORMATION NECESSARY for legitimate and lawful purposes
What are examples of risk assessment procedures?
- Re-performance (walkthrough)
- Inquiry
- Inspection
- Observation
What is a walkthrough?
- It is a risk assessment procedure where a combination of risk assessment controls (inquiry, inspection, observation) are used to compare a process to the documented policy
To provide the same level of assurance as an inked signature in a paper transaction, what would a digitally signed transaction use?
Hashing and asymmetric encryption for authentication
What is hashing?
- AKA Data Replacement.
- Hashing uses an algorithm to change data into a fixed string (ex: ###).
- After hashing the signature, the signer encrypts it using a private key.
- The receiver is given a public key to decrypt the hashed signature.
Privacy regulations (HIPAA) require the data subject’s _____ before the data holder can disclose information.
INFORMED CONSENT
What is change management?
- It is an IT practice designed to minimize disruptions to IT services while making changes to critical systems and services.
- A change is adding, modifying, or removing anything that could have a direct/indirect effect on services.
How should proprietary information be classified?
Confidential
What is a digital signature?
- It is a cryptographic technique used to verify the authenticity and integrity of digital messages, etc.
- Digital signatures are encrypted, geolocated, and time stamped to authenticate signer’s identity.
What kind of encryption does digital signatures rely on?
- Asymmetric encryption.
- If a sender signs a message, they use their private key to create a unique digital signature.
- Sender then transmits both original message and digital signature to the recipient.
- The recipient employs the sender’s public keys to verify the authenticity of the signature.
What is privacy?
In the context of the Trust Services Criteria, PRIVACY deals only with handling PERSONAL DATA (how it’s collected, used, retained, disclosed, disposed of)
What is confidentiality?
It deals with a broad range of sensitive info, such as proprietary, strategic, financial, and personal data.
What is the purpose of data security controls?
It is to ensure that storage media are subject to authorization prior to access, change, or destruction.
Examples of data security controls:
- Access control lists
- Firewalls
- Intrusion detection systems
- Intrusion prevention systems
- Data encryption
What is public key encryption?
- AKA Asymmetric key encryption.
- It uses a pair of keys, a public key and a private key, to encrypt and decrypt data, respectively.
- Public key is available to anyone who wants to send an encrypted message to the owner of the private key.
- The public key is used to encrypt the data and can be shared freely.
What is private key encryption?
- AKA Symmetric key encryption.
- The same key is used to both encrypt and decrypt the message.
- The sender and recipient must have the same encryption key in order to communicate securely.
Data Loss Prevention solutions are designed to do what?
To protect data based on the data’s state (at rest, in transit, in use)
What is Acceptable Use Policy?
They are policies that establish guidelines for the use of an organization’s assets (hardware, software)
